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1. (Currently Amended) A machine-readable medium having stored thereon sequences 
of instructions which, when executed by a processor, cause the processor to perform the acts of: 

disabling access to at least a first section of code in a network driver interface that 
is being executed by the processor, wherein the network driver interface provides for 
communication between one or more media access control units and one or more protocol 
drivers in a computer system according to a set of bindings; 

patching the first section of code while the network driver interface is being 
executed by the processor to cause the insertion of a rerouting driver into the one or more 
communication paths provided by the set of bindings; and 

re-enabling access to the patched first section of code. 

2. (Original) The machine-readable medium of claim 1 wherein the patching is static 
patching. 

3- (Original) The machine-readable medium of claim 2 wherein the static patching 
includes inserting a template jump from the network driver interface to a template in the 
rerouting driver. 

4. (Original) The machine-readable medium of claim 3 wherein the template jumps are 
inserted in the network driver interface so that a CALL instruction to the protocol driver is 
replaced with a JUMP to the template in the rerouting driver, the template containing the CALL 
instruction. 

5. (Original) The machine-readable medium of claim 2 wherein the patching the first 
section of code creates at least one new binding between the network driver interface and the 
rerouting driver. 
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6. (Original) The machine-readable medium of claim 5 wherein the at least one new 
binding provides for communication between one or more media access control units and a 
capturing unit in the rerouting driver. 

7. (Original) The machine-readable medium of claim 6 wherein the capturing unit is 
used to intercept communications over the at least one new binding. 

8. (Original) The machine-readable medium of claim 1 wherein the patching is dynamic 
patching. 

9. (Original) The machine-readable medium of claim 8 wherein the dynamic patching 
includes establishing a new binding between at least one media access control unit and dynamic 
patching code in the rerouting driver, and inserting a template jump in the network driver 
interface to a template in the rerouting driver. 

10. (Original) The machine-readable medium of claim 9 wherein the template jumps are 
inserted in the network driver interface so that a CALL instruction to the protocol driver is 
replaced with a JUMP to the template in the rerouting driver, the template containing the CALL 
instruction. 

[The Remainder of this page has been left intentionally blank.] 
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11. (Currently Amended) A computer implemented method comprising: 

transmitting from a remote host to a first target computer on a network an 
installation application and a rerouting driver; 

transmitting from the remote host to the first target computer a command to cause 
the first target computer to execute the installation application; 

the first target computer, responsive to receipt of the command, executing the 
installation application, wherein the first target computer includes a network driver interface that 
provides for communication between one or more media access control units and one or more 
protocol drivers according to a set of bindings; and 

the firet target computer, responsive to executing the installation application, 
causing the modification of the network driver interface to insert the rerouting driver into the one 
or more communication paths provided by the set of bindings while the network driver interface 
is being executed bv the first target computer and without restarting the first target computer. 

12. (Original) The computer implemented method of claim 11 wherein the modification 
of the network driver interface is by static patching. 

13. (Original) The computer implemented method of claim 12 wherein the static 
patching further comprises inserting template jumps from the network driver interface to 
templates in the rerouting driver. 

14. (Original) The computer implemented method of claim 13 wherein the template 
jumps are inserted in the network driver interface so that a CALL instruction to the protocol 
driver is replaced with a JUMP to the template in the rerouting driver, the template containing 
the CALL instruction. 

15. (Original) The computer implemented method of claim 11 wherein the modification 
of the network driver interface is by dynamic patching. 



4 



PAGE 10/46 * RCVD AT 10(4/2004 7:04:07 PM [Eastern Daylight Time] 1 SVR:USPT0-EFXRM/1 ' DN1S:8729306 * CSID:404 572 5145 ' DURATION (mm-ss):12-34 



OCT 04 2004 19:08 FR KING AND SPPLDING 404 572 5145 TO 555 i «05456tt 1 0503 P. 11 



Serial No. 09/456,894 

16. (Original) The computet implemented method of claim 15 wherein the dynamic 
patching further comprises establishing a new binding between at least one media access control 
unit and dynamic patching code in the rerouting driver, and inserting a template jump in the 
network driver interface to a template in the rerouting driver. 

17. (Original) The computer implemented method of claim 16 wherein the template 
jumps are inserted in the network driver interface so that a CALL instruction to the protocol 
driver is replaced with a JUMP to the template in the rerouting driver, the template containing 
the CALL instruction. 

1 8. (Currently Amended) A computer system comprising: 
a processor for simultaneously executing: 

a protocol driver; 

a network driver interface: 

a media access control unit; and 

arerouting driver: 

[[a]] the network driver interface to store a first binding defining a 
communication path between the protocol driver and the media access control unit, the network 
driver interface coupled to communicate packets with the media access control unit, the network 
driver interface being patched to communicate the packets with [[a]] the rerouting driver, and 

the rerouting driver being executed bv the processor at the same time as the 
network driver interface and being coupled to communicate the packets with the protocol driver. 

19. (Original) The computer system of claim 18, the rerouting driver further comprising 
static patching code. 

20. (Original) The computer system of claim 18, the rerouting driver further comprising 
dynamic patching code. 
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2L (Original) The computer system of claim 18, the rerouting driver further comprising 
a capture unit to store in a buffer one or more of the packets for evaluation 

22. (Original) The computer system of claim 21, the network interface to also store a 
second binding defining a communication path between the rerouting driver and the media 
access control unit; and, the capture unit to store in the buffer the packets destined for the 
rerouting driver. 

23. (Currently Amended) A rerouting driver for remotely installing network drivers and software 
in a computer system without restarting the computer system following installation, the computer system 
having an operating system m which a network driver interface provides communication of information 
between at least one media access control unit and at least one protocol driver on the computer system, 
the rerouting driver comprising: 

control code, for controlling the rerouting driver; 

binding code, for establishing at least one binding at the network driver interface so that 
the rerouting driver is bound to at least one media access control unit while the network driver interface 
and the rerouting driver are executed at the same time: 

patching code, for inserting template jumps into at least a first section of code in the 
network driver interface, the template jumps providing jumps to templates in the rerouting driver so that 
information from at least one media access control unit destined for at least one protocol driver is rerouted 
to the rerouting driver while the network driver int erface and the rerouting driver are executed at the same 
time : 

at least one template, for receiving information from at least one template jump in the 
network driver interface; 

inserted code, for evaluating rerouted information received by the template jumps. 

[The Remainder of this page has been left intentionally blank J 
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24. (Original) The rerouting driver of claim 23 wherein the control code identifies a 
starting memory address of the network driver interface instruction code and disables access to 
the first section of code, and further wherein the patching code, following the disabling of 
access, operates to overwrite the first section of code and additional predetermined memory 
addresses so that all the pre-determined memory addresses are patched. 

25, (Original) The rerouting driver of claim 23 wherein the patching code responsive to 
receipt of information being sent from the network driver interface, determines the instruction 
code address that sent the information and overwrites the first section of code at that address so 
that memory addresses are incrementally patched as information is received from the network 
driver interface, 

[The Remainder of this page has been left intentionally blank J 
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26. (Currently Amended) A method for disabling and re-enabling access to code in a 
multiprocessor system having a shared memory and a network driver interface comprising: 

selecting a first section of code of the network driver interface in a first central processing 
unit that is to be modified while the network driver interface is running : 

writing the first section of code of the network driver interface into the cache memory of 
the first central processing unit while the network driver interface is running : 

overwriting a portion of the first section of code in cache memory with blocking code to 
create a first version of code while the network driver interfa ce is mrmmpr; 

writing the first version of code into shared memory while the network driver interface is 
running; 

modifying the first version of code in the cache memory to create a second version of 
code, wherein a portion of the code following the blocking code is overwritten with template 
jumps to effect a static patch of the network driver interface while the network driver interface is 
running : 

writing the second version of code into shared memory while the network driver interface 
is running: 

modifying the second version of code in the cache memory with code to create a third 
version of code, wherein the blocking code is overwritten to remove the blocking code while the 
network driver interface is running : and 

writing the third version of code into shared memory while the network driver interface is 
running. 

27. (Cancelled). 
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28. (Currently Amended) A machine-readable medium having stored therein 
instructions, which when executed, cause a set of one or more processors to perform the 
following: 

disabling access to a first section of code of a network driver interface while the networjg 
driver interface is running, the first section of code to b e e xecuted whon to provido providing a 
communication path between a media access control unit and an application, the first section of 
code including a generic call; and 

overwriting the first section of code with a second section of code while the network 
driver interface is running whose execution causes execution flow to be rerouted to a third 
section of code in a rerouting driver, the second section of code being no larger than the first 
section of code, 

the third section of code, when executed and while the network driver interface is 
Tunning, completing the communication path and returning execution flow, the third section of 
code including additional code not present in the first section of code that is now inserted into the 
communication path. 

29. (Original) The machine-readable medium of claim 28 wherein the second section of 
code contains a template jump to a template in the third section of code. 

[The Remainder of this page has been left intentionally blank.] 
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30. (Currently Amended) A distributed packet based security system installed using a 
patching technique for each individual computer and enabled without shutdown or restart across 
a plurality of computers in a network that enables each of said plurality of computers to evaluate 
packets received over the network according to a predetermined standard and selectively allow 
transmission of such packets from the network to a protocol drive r, each of the computers 
comprising: 

a processor for running a network driver interface and the distributed packet 
based sec urity system and for installing first and second code while the network driver interface 
is running: and 

a shared memory buffer between a user space that stores the first code of the 
distributed packet based security system and a system address space that stores the protocol 
driver and second code of the distributed packet based security system, wherein said second code 
is coupled to said shared memory to store information regarding packets received over the 
network* and wherein said first code is coupled to the shared memory buffer to evaluate 
information stored in the shared memory buffer . 

31. (Cancelled). 

32. (Cancelled). 

33. (Original) The distributed packet based security system of claim 30, wherein the 
install is performed remotely from a host computer on said network. 
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34. (Currently Amended) A computer system comprising; 

a plurality of networked computers each including, 
a network driver interface: 

a media access control unit coupled to the physical transmission medium of the 
network to extract packets from data provided across said medium; 

a protocol driver coupled to the media access control unit via the network driver 

interface : and 

filter code being installed such that the code is coupled to the network driver 
interface while the network driver interface is running and in between the media access control 
unit and the protocol driver and enabled without shutdown or restart to evaluate said packets and 
selectively allow continued transmission of different ones of said packets to the protocol driver. 

35. (Original) The computer system of claim 34, wherein the install is performed using a 
patching technique. 

36. (Original) The computer system of claim 34, wherein each of the plurality computers 
includes a shared memory buffer between a user space that stores a security application and a 
system address space that stores the media access control unit, the protocol driver, and the filter 
code, wherein said filter code is coupled to said shared memory to store information regarding 
packets received over the network, and wherein said security application is coupled to the shared 
memory buffer to evaluate information stored in the shared memory buffer. 

37. (Original) The computer system of claim 34, wherein the install is performed 
remotely from a host computer on said network. 
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38. (Currently Amended) A computer implemented method comprising: 

distributing from a remote host across a network to a plurality of computers code 
comprising a security filter to be installed by each of said plurality of computers, each of said 
plurality of computers including routines to be executed to provide a communication path 
between a media access control unit coupled to the network and a protocol driver, said 
communication path for packets transmitted across said network; 

transmitting from the remote host to each of the plurality of computers a 
command to cause each of the plurality of computers to execute said code; and 

each of the plurality of computers responsive to said command performing, 
installing a driver the, code while running a network driver interface such that the code is in the 
communication path between the media access control unit and the protocol driver, said installed 
driv e r code being enabled, without restart of said computer, to evaluate selectively allowing 
continued transmission of different ones of said packets received over said network along the 
communication path. 

39. (Original) The method of claim 38, wherein said installing is performed using a 
patching technique. 

[The Remainder of this page has been left intentionally blank.] 
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40. (Original) The method of claim 38, wherein each of the plurality computers 
responsive to said command also perform, forming a shared memory buffer between a system 
address space that stores the protocol driver and a user space that stores a security application, 
wherein said driver is coupled to said shared memory to store information regarding packets 
received over the network, wherein said application is coupled to the shared memory buffer to 
evaluate information stored in the shared memory buffer. 

41. (Cancelled) 



[The Remainder of this page has been left intentionally blank,] 
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42. (Currently Amended) A machine-readable medium that provides instructions, which 
when executed by a set of processors, cause said set of processors to perform operations 
comprising: 

distributing from a remote host across a network to a plurality of computers code 
comprising a security filter to be installed by each of said plurality of computers, each of said 
plurality of computers including routines to be executed to provide a communication path 
between a media access control unit coupled to the network and a protocol driver, said 
communication path for packets transmitted across said network; 

transmitting from the remote host to each of the plurality of computers a 
command to cause each of the plurality of computers to execute said code; and 

each of the plurality of computers responsive to said command performing, 
installing a driver the code w hite running a netw ork driver interface such that the code is in the 
communication path between the media access control unit and the protocol driver, said installed 
driver code being enabled, without restart of said computer, to evaluate selectively allowing 
continued transmission of different ones of said packets received over said network along the 
communication path. 

43. (Original) The machine-readable medium of claim 42, wherein said installing is 
performed using a patching technique. 
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44. (Original) The machine-readable medium of claim 42, wherein each of the plurality 
computers responsive to said command also perform, forming a shared memory buffer between a 
system address space that stores the protocol driver and a user space that stores a security 
application, wherein said driver is coupled to said shared memory to store information regarding 
packets received over the network, wherein said application is coupled to the shared memory 
buffer to evaluate information stored in the shared memory buffer. 

45. (Currently Amended) A computer implemented method comprising: 

installing into each of a plurality of computers on a network code coupled to the 
network driver interface while the network driver interface is running that-is the code forming 
part of a distributed packet security system, said code being installed such that packets 
transmitted across said network to a given one of said plurality of computers is received by said 
code before being provided to a protocol driver; 

at least the first of said plurality of computers without being shutdown or 

restarted, 

receiving a packet from said network; and 

said code executing on said first computer selectively forwarding said packet onto 
the protocol driver depending upon parameters of the distributed packet base security system. 

46. (Original) The method of claim 45, wherein said installing is performed using a 
patching technique. 

47. (Original) The method of claim 45, wherein said installing is performed remotely 
over said network. 
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48. (Currently Amended) A machine-readable medium that provides instructions, which 
when executed by a set of processors, cause said set of processors to perform operations 
comprising: 

installing and enabling, without shutdown or restart, on each of a plurality of 
computers on a network code coupled to a network driver interface while the network driver 
interface is running, Aatnte the code forming part of a distributed packet security system, said 
code being installed such that packets transmitted across said network to a given one of said 
plurality of computers is received by said code before being provided to a protocol driver; 

wherein said code, when executed responsive to one of said plurality of 
computers receiving a packet from said network, selectively forwards said packet onto the 
protocol driver depending upon parameters of the distributed packet base security system. 

49. (Original) The machine-readable medium of claim 48, wherein said installing is 
performed using a patching technique. 

50. (Original) The machine-readable medium of claim 48, wherein said installing is 
performed remotely over said network. 
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51. (Currently Amended) A computer implemented method comprising; 

installing into each of a plurality of computers on a network first and second code 
that is part of a distributed packet security system, said first code being installed in a user address 
space, said second code being installed while the network driver interface is running and being in 
a communication with the network driver interface of a system address space, said second code 
being installed such that packets transmitted across said network to a given one of said plurality 
of computers is received by said second code before being provided to a protocol driver in said 
system space; 

at least the first of said plurality of computers without being shutdown or 
restarted, receiving a packet from said network; 

said second code storing at least certain information from said packet into a 
shared memory buffer between the user address space and the system address space; and 

said first code accessing information from said shared memory buffer. 

52. (Original) The method of claim 51, wherein said installing is performed using a 
patching technique. 

53. (Original) The method of claim 51, wherein said installing is performed remotely 
over said network. 

54. (Cancelled). 
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55. (Currently Amended) A machine-readable medium that provides instructions, which 
when executed by a set of processors, cause said set of processors to perform operations 
comprising: 

installing and enabling, without shutdown or restart, on each of a plurality of 
computers on a network first and second code that is part of a distributed packet security system, 
said first code being installed in a user address space, said second code being installed while the 
network driver interface is running and being in a communication with the network driver 
interface of a system address space, said second code being installed such that packets 
transmitted across said network to a given one of said plurality of computers is received by said 
second code before being provided to a protocol driver in said system space; 

wherein said second code, when executed responsive to a first of said plurality of 
computers receiving a packet from said network, stores at least certain information from said 
packet into a shared memory buffer between the user address space and the system address 
space; and 

wherein said first code when executed by said first computer accesses said 
information from said shared memory buffer. 

56. (Original) The machine-readable medium of claim 54, wherein said installing is 
performed using a patching technique. 

57. (Original) The machine-readable medium of claim 54, wherein said installing is 
performed remotely over said network. 

58. (Cancelled). 
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